experimental namespace for openid.net

George Fletcher gffletch at aol.com
Fri Jul 10 18:58:55 UTC 2009 

+1 to http://experimental.openid.net

It would be good to add this to the "repository" work Breno and John are 
doing as having a registry for experimental URIs would be good as well.

Thanks,
George

Dirk Balfanz wrote:
> [+general at openid.net <mailto:general at openid.net> for a broader audience]
>
> On Thu, Jul 9, 2009 at 4:45 PM, Dirk Balfanz <balfanz at google.com 
> <mailto:balfanz at google.com>> wrote:
>
>     Hi guys, 
>
>     Google would like to launch a feature in which we're allowing our
>     Google Apps hosted domains to become OpenID providers. The
>     authentication part of it is pretty simple - Google is already
>     logging in users to their apps, so we can also host an OP endpoint
>     for those domains and send assertions back to Relying Parties.
>     What is more difficult is the discovery part. We have been working
>     with the XRI TC to define a XRD-based discovery protocol that
>     would allow this kind of hosting of discovery documents on behalf
>     of our customers. 
>
>     We believe that providing proof-of-concept implementations drives
>     standardization processes forward, so in this spirit we want to
>     launch this feature in the near future, using a discovery protocol
>     that as far as we can tell meets all the requirements of what the
>     XRI TC is currently converging on, but which has not been vetted
>     as an official standard (it's a chicken and egg thing - without
>     PoC no standards, without standards by definition no
>     standards-compliant implementations).
>
>     While we were tossing around ideas 
>     <http://markmail.org/message/ixc5led2lobdwij2>in the
>     standardization committees we just used random identifiers for new
>     XML namespaces, etc. that we would need for this discovery
>     protocol. Now that we're about to launch we need to decide what to
>     call these things. We would like to use a namespace
>     in http://specs.openid.net/... because we want this kind of
>     discovery protocol to be part of OpenID, but we can't really use
>     them because we don't have a next-generation discovery protocol yet. 
>
>     So what should we use? How
>     about http://experimental.openid.net/... ? That way, Relying
>     Parties know that what we're trying to do is be a part of the
>     OpenID community and bring the protocol forward. On the other
>     hand, this would also be a signal to the RP that they're using a
>     feature that has not been vetted as a standard yet. 
>
>     For example, a discovery document for a domain balfanz.net
>     <http://balfanz.net> at Google might look like this (notice the
>     "experimental" namespace and the XML elements using it):
>
>     <?xml version="1.0" encoding="UTF-8"?>
>     <xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)">
>       <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>       <ds:SignedInfo>
>       <ds:CanonicalizationMethod Algorithm="http://docs.oasis-open.org/xri/xrd/2009/01#canonicalize-raw-octets" />
>       <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
>       </ds:SignedInfo>
>       <ds:KeyInfo>
>       <ds:X509Data>
>       <ds:X509Certificate>
>       MIICgjCCA...
>       </ds:X509Certificate>
>       <ds:X509Certificate>
>       MIICsDCCAhmgAwIB...
>       </ds:X509Certificate>
>       </ds:X509Data>
>       </ds:KeyInfo>
>       </ds:Signature>
>       <XRD>
>       <CanonicalID>balfanz.net <http://balfanz.net></CanonicalID>
>       <Service priority="0">
>       <Type>http://specs.openid.net/auth/2.0/server</Type>
>       <Type>http://openid.net/srv/ax/1.0</Type>
>       <Type>http://specs.openid.net/extensions/pape/1.0</Type>
>       <URI>https://www.google.com/a/balfanz.net/o8/ud?be=o8</URI>
>       </Service>
>       <Service priority="0" xmlns:experimental="http://experimental.openid.net/google/2009/07/xmlns/">
>       <Type>http://www.iana.org/assignments/relation/describedby</Type>
>       <MediaType>application/xrds+xml</MediaType>
>       <experimental:URITemplate>https://www.google.com/accounts/o8/user-xrds?uri={%uri}
>     <https://www.google.com/accounts/o8/user-xrds?uri=%7B%uri%7D></experimental:URITemplate>
>       <experimental:NextAuthority>hosted-id.google.com
>     <http://hosted-id.google.com></experimental:NextAuthority>
>       </Service>
>       </XRD>
>     </xrds:XRDS>
>
>     What do you guys think?
>
>     Dirk.
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs
>

More information about the specs mailing list